As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million. This does not increase the overall estimate of 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals.

Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them. In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis.

OPM and our partners across government are working to protect the safety and security of the information of Federal employees, service-members, contractors, and others who provide their information to us. Together with our interagency partners, OPM is committed to delivering high-quality identity protection services to impacted individuals. The interagency team will continue to review the impacted data to enhance its quality and completeness, and to monitor for any misuse of the data. The U.S. Government will continue to evaluate the coverage being provided and whether any adjustments are needed in association with this incident.

4 responses

On Sept 1, OPM/DOD announced another identity protection contract; that new company is supposed to start notifying impacted individuals. The stolen fingerprints is part of the 21M originally impacted individuals according to OPM. Not sure those notification have actually gone out. Or at least, I haven’t heard that the notification has started.

This will be important from a counterintelligence standpoint, since it could allow identity alteration or substitution within the federal personnel system, assuming, as we must, that OPM and other agencies are still compromised. We really should just start over.